In a lot of programming tutorials for setting up user authentication I’ve seen everyone say Auth0 makes everything super easy and for the large part I agree it makes things easier but at a cost, and the tutorials instruct you on using Auth0 rather than making your own system. Here are some concerns of mine, change my view on using Auth0 as opposed to my login/registration system.

You are trusting a 3rd party. What stops a rouge employee or a hired corporate espionage agent from going in and abusing internal tools to hijack your website’s admin panel. How could you prevent such an attack? I suppose some extra form of home made 2nd factor of authentication could prevent this, what risks exist, how can they be mitigated.

Will Auth0 last forever? One day could they run out of money and cease to exist? How long would it take to recover.

With those concerns being said change my view on why I should use Auth0 like everyone says over making my own login and registration system.

I roll my own authorization since not everybody is a member of facebook, twitter or whatever. I can’t force them to become a member of any social network just to register as a user to my site.

That said, have SSL Certs on your server.
2nd, don’t store plain text passwords in the database. Store only the encrypted string in your database. (That means, even you the site operator don’t know their passwords.)
3rd, seed the user’s password. Preferably, this seed is stored somewhere. If you want to invalidate everyone’s user password, all you have to do is change the value of your seed variable. Then everybody’s password will be useless and they can’t login, and they’ll have to reset their passwords to a new one.
4th, since all passwords are encryoted and even the site operator wouldn’t know them… re-sending user’s password via email doesn’t work. If somebody forgets, then they’ll have to assign a new password to their account via a special link emailed to them.

You are trusting a 3rd party. What stops a rouge employee or a hired corporate espionage agent from going in and abusing internal tools to hijack your website’s admin panel. How could you prevent such an attack? I suppose some extra form of home made 2nd factor of authentication could prevent this, what risks exist, how can they be mitigated.

This is a totally legitimate point. The more control we give to third parties, the more exposed we are. If privacy is a concern (and it should be), we ought to avoid Auth0. It’s not so absurdly difficult to set up OAuth on your own server that I’d want to use a third party. It doesn’t even take an angry employee to make this a problem, as the company could be selling user data to other companies, or just handing it over to government entities.

Of course, when working for a company we’ll rarely have any input into whether or not we should use Auth0, but for your own projects, why not roll your own?

Another factor you should consider if deciding to integrate Auth is also User Experience.

Many services choose nowadays to enable the user to register with (what is at least perceived as) a trusty service (Google, Facebook …) due to how easy it is.

Usability is a major factor of how successful a service will be, and is well known that registration is often perceived as a barrier; that’s why even big companies that spans from e-commerce to videogames provide a means to login using Auth.

To sum it up here’s the relevant part of a medium article by Nick Babich about UX during login:

Pros: Users don’t have to fill out registration form, to create another pairs of username/password and to verify emails, hence can sign up in like 10 seconds instead of 10 minutes. And most important, users don’t have to remember a new usernames/passwords.

Cons: Since the information about the user is loaded automatically it raises a huge privacy concern and not everyone is likely to be happy to share their profile data. For such cases you should have traditional login system running in parallel.